2.10.0

Highlights

REVEN version 2.10 is packed with new features, with the following highlights:

  • Improved UX for newcomers with a step-by-step installation and quick start guide, and several UI pitfalls rubbed out.
  • Improved performance on the Analysis side, with scripts such as detect_use_after_free.ipynb running up to 8 times faster.
  • A new API to iterate on contexts inside a process or a ring.
  • A new API to inspect prototypes of functions and read parameters and return value.
  • New OSSI for Linux CentOs 8 and enhanced OSSI for mangled symbols and Windows 21H1.

In more details:

  • Fast path from downloading REVEN to the analysis of your first scenario: Using REVEN is easier than ever, thanks to many improvements to the setup process and documentation. We changed the default options to be more convenient and push first-time users towards the fast path. The revamped Installation section and the brand new Quick start guide will guide you through the installation and first use of REVEN, from the moment you download your package to the analysis of your first scenario!
  • Process/Ring filters API: The new Trace.filter method allows to iterate on contexts that match a specific set of processes, and/or rings. This easily enables a common use-case of analyzing only some processes in userspace (e.g. only look at the instructions executed while running Chrome).
  • Preview Prototype API: The Prototype API is what has been powering our ltrace and file-activity report scripts since their release in 2.6 and 2.7. This API is now exposed as a preview.prototypes package, that allows to parse C headers to return their signature, and also expose ABI call convention so that you can easily read e.g. the value of the third argument or return value of a call. Refer to the documentation of that package for more information.
  • Faster analysis: A new optional resource (replayed by default) called the Executed blocks, allows to iterate on transition objects faster, yielding performance improvements for the replay of some resources and the analyses that depend on iterating on transitions. Concretely, we observe speedups of x5 for sequential instruction recovery and up to x100 for random access of transitions. For end-user scripts such as detect_user_after_free.ipynb this translates to a speedup of up to x8.
  • More complete and customizable symbol demangling: Axion now displays in most places a shorter form of the demangled symbols. The full signature is available at the call of a symbol or on demand. Meanwhile, the symbol API sees the addition of three new entries: Symbol.source_name, Symbol.name_only and Symbol.prototype that are geared to recovering mangled and demangled symbol names in their short or long form.
  • More OSSI (current process, binary, symbol) support:
    • On the Windows front, REVEN 2.10 better supports the latest released version of Windows 10 (21H1).
    • REVEN now supports resolving the OSSI for the CentOS 8 distribution.

Improvements

REVEN

  • Taint performance optimization, with up to 66% speedup in workloads with many pieces of tainted memory.

Project Manager

  • For new installations, the list of PDB servers are now pre-populated with common PDB servers. For existing installations, you can refer to the documentation if you want to add the new PDB servers.
  • Virtual Machines (VMs) in the qcow format are now automatically converted to the qcow2 format during the VM registration wizard.
  • The error message when there is a timeout during a binary autorecord is now clearer.
  • Now, by default, all resources are selected to be replayed in the Replay page of a scenario as this is a most common use case.
  • The Axion GUI client and the VM displays are now being rendered by default from the Project Manager's web interface, in your browser. To configure another behavior, please refer to the documentation.
  • The logs of the services of the Project Manager (Postgres, Redis, Celerdy, uWSGI, etc.) are now rotated, to avoid accidental destruction of log information when restarting the Project Manager.

Analysis Python API

  • In a Jupyter Notebook, a reven2.address.LinearAddress, reven2.address.LogicalAddress or reven2.address.LogicalAddressSegmentIndex instance now displays as a clickable link that instructs Axion to open a hexdump widget at that address.
  • The Sessions.publish_address method allows to publish an address to synchronized clients like Axion.
  • The Ossi.executed_processes method allows to get the processes executed in a Windows scenario.
  • The Transition.pc and Transition.mode properties allow to query the RIP and CPU mode associated with a transition.

Analysis Python API script library

  • The new script automatic-post-fuzzer-recorder.py that was demonstrated in a recent article has been added to the examples in the package.
  • threadsync.py adds an option to filter by the synchronization primitive, and replace the --cr3 option with a --pid option for ease of use and consistency with other scripts.
  • detect_data_race.ipynb sees improved performance for workloads with many accessed memory address. The output of the notebook has been tuned to better distinguish between undetermined and positive cases.
  • export_bookmarks.ipynb now supports exporting bookmarks even when the OSSI is not available, but emits a warning in that case.
  • bk2bp.ipynb now correctly reports its dependency to the OSSI.
  • ltrace and file-activity now use the provided preview.prototypes API.

Fixed issues

REVEN

  • OSSI: For Windows scenario, the MMU can now read standby pages in memory, solving an issue where certains modules could not be loaded.
  • Some interrupts would mistakenly report that they would occur while executing an instruction when it wasn't the case. This issue is fixed for scenarios with the Executed Blocks resource replayed.
  • The stack event and PC range replay would fail with Error: Cannot disassemble empty data when encountering an instruction with empty data.
  • The server would crash when tainting through an instruction with empty or wrong data.

Project Manager

  • A VM or its snapshots can no longer be used to record a scenario or be selected in the VM list while it is being registered in the Wizard.
  • The Project Manager no longer blocks the user from registering new VMs when a VM or snapshot is unexpectedly deleted during registration.

Axion

  • A sporadic segmentation fault crash in the Calltree view has been fixed.
  • The calltree no longer crashes after disconnecting from a project and reconnecting to a different project in Axion.
  • The calltree no longer sporadically logs an error reading "impossible case".

Analysis Python API Compatibility Notes

  • The following deprecated classes and methods have been removed:
    • The Stack.backtrace method and the BackTrace class: print directly the Stack object to display a backtrace.
    • The Taint.changes method and the TaintChanges and TaintChangeView classes: use the Taint.accesses(changes_only=True) to get the changes of the taint.
  • The return value of Symbol.name changed: previously it would return the prototype, now it returns the short name (Symbol.name_only) of a symbol if available, or otherwise defaults to the source name (Symbol.source_name).
©2019-2021 Tetrane